Re: dsl and pix

From: john matijevic (john.matijevic@gmail.com)
Date: Thu Apr 14 2005 - 16:36:16 GMT-3

• Next message: john matijevic: "Re: dsl and pix"
• Previous message: Lee Donald: "RE: RPF failure"
• Maybe in reply to: john matijevic: "dsl and pix"
• Next in thread: john matijevic: "Re: dsl and pix"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello James and Team,
I was able to fix the acl so I was able to start the iskamp negotiation
process.
I am now have the debug here:
crypto_isakmp_process_block:src:Test_Public,
dest:65.240.142.186<http://65.240.142.186>spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload

 On 4/14/05, john matijevic <john.matijevic@gmail.com> wrote:
>
>
>
> On 4/14/05, john matijevic <john.matijevic@gmail.com> wrote:
> >
> > Hello James,
> > Ok the modified acl corrected to a degree, it was 26 good catch, i fixed
> > acl, looks like now its going through phase 1 and phase 2 of isakmp
process,
> > now its stuck on key exchange on debug on client i have debug crypto
isakmp,
> > i get the following:
> > message not encrypted.
> >
> > On 4/14/05, Lopez,James <JLOPEZ@vha.com> wrote:
> > >
> > > Hmm,
> > > If logging is on, you should see some kind of debug entries. Just to
> > > be sure, you have a device on the private side of the firewall and it is
> > > pinging, or something, a device on the other private network, correct?
> > > What does the access list, inside_access_in, look like on the server
> > > side?
> > >
> > >
> > > also,
> > > logging on
> > > logging buffered 7
> > > JL
> > > --
> > > *********************************************************************
> > > The information transmitted in this e-mail and in any replies and
> > > forwards are for the sole use of the above individual(s) or entities and
may
> > > contain proprietary, privileged and/or highly confidential information.
Any
> > > unauthorized dissemination, review, distribution or copying of these
> > > communications is strictly prohibited. If this e-mail has been
transmitted
> > > to you in error, please notify and return the original message to the
sender
> > > immediately at the above listed address. Thank you for your cooperation.
> > >
> > > *********************************************************************
> > >
> > > -----Original Message-----
> > > *From:* john matijevic [mailto: john.matijevic@gmail.com]
> > > *Sent:* Thursday, April 14, 2005 1:51 PM
> > > *To:* Lopez,James
> > > *Subject:* Re: dsl and pix
> > >
> > > hello James,
> > > i changed the client to .26 still seem to be issue.
> > > JOhn
> > >
> > > On 4/14/05, Lopez,James <JLOPEZ@vha.com> wrote:
> > > >
> > > > Hi John,
> > > >
> > > > I see you're still have some issues, looking at the config below, I'
> > > > seeing the following, can you please double check.
> > > >
> > > > Server side:
> > > >
> > > > 192.168.101.0/24 <http://192.168.101.0/24> ->
192.168.26.0/24<http://192.168.26.0/24>
> > > >
> > > > Remote side:
> > > >
> > > > 192.168.21.0/24 <http://192.168.21.0/24> ->
192.168.101.0/24<http://192.168.101.0/24>
> > > >
> > > > What is the LAN subnet on the remote side .21.0 or .26.0 ?
> > > >
> > > > HTH,
> > > > Jim
> > > >
> > > > --
> > > > *********************************************************************
> > > >
> > > > The information transmitted in this e-mail and in any replies and
> > > > forwards are for the sole use of the above individual(s) or entities
and may
> > > > contain proprietary, privileged and/or highly confidential
information. Any
> > > > unauthorized dissemination, review, distribution or copying of these
> > > > communications is strictly prohibited. If this e-mail has been
transmitted
> > > > to you in error, please notify and return the original message to the
sender
> > > > immediately at the above listed address. Thank you for your
cooperation.
> > > >
> > > > *********************************************************************
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com]On Behalf
> > > > Of
> > > > john matijevic
> > > > Sent: Thursday, April 14, 2005 12:23 PM
> > > > To: Guilherme Correia
> > > > Cc: ccielab@groupstudy.com
> > > > Subject: Re: dsl and pix
> > > >
> > > > Hello Guilherme,
> > > > Thanks again for your help, on another client that is working it has
> > > > identical config on the key and the vpn is up, it has the same "
> > > > no-xauth"
> > > > and "no config-mode" that I am trying to configure, and the server
> > > > does not
> > > > have these options, also if there was a key negotiation failure we
> > > > would be
> > > > able to see that using the debug crypto isakmp, during the Key
> > > > exchange
> > > > phase of IPSEC, I am not getting any IPsec debug output, when I
> > > > enable the
> > > > debugs. Thanks again for all of your efforts.
> > > > Sincerely,
> > > > john
> > > >
> > > > On 4/14/05, Guilherme Correia < razzolini80@hotmail.com> wrote:
> > > > >
> > > > > HI John,
> > > > >
> > > > > Additionally, add " no-xauth" and "no config-mode" on the "isakmp
> > > > key " on
> > > > > the server side.
> > > > > Check with " clear isakmp sa" and "debug crypto isakmp"
> > > > >
> > > > > HTH
> > > > > #13754
> > > > > =================
> > > > >
> > > > >
> > > > > Hello Guilherme and Team,
> > > > > The command is on the server:
> > > > > crypto ipsec transform-set usinstall esp-3des esp-md5-hmac
> > > > > just didnt include it in the output, but its there on the server.
> > > > > Thanks again Team.
> > > > > Sincerely,
> > > > > John Matijevic, CCIE #13254
> > > > >
> > > > > On 4/14/05, Guilherme Correia < razzolini80@hotmail.com> wrote:
> > > > > >
> > > > > > Hi John
> > > > > >
> > > > > > I dont see:
> > > > > >
> > > > > > crypto ipsec transform-set
> > > > > >
> > > > > > on your server side; make sure that it is the same as the client
> > > > side.
> > > > > >
> > > > > > ================================
> > > > > >
> > > > > > Hello Team,
> > > > > > I appreciate all of your help on this one. Here is an update on
> > > > the
> > > > > > particular issue I am having, I can ping from external address
> > > > to other
> > > > > > external address, however, I cant seem to get to phase 1 of
> > > > IPSEC. I
> > > > > turn
> > > > > > on
> > > > > > the debug for crypto and I see no output. I am attatching the
> > > > configs
> > > > > here
> > > > > > for assistance. Also on the client side there is a PIX with DSL
> > > > > connection
> > > > > > on the server side, there is a router on the outside with a T1
> > > > coming in
> > > > > > and
> > > > > > then a PIX firewall. Please feel free to call me if you need any
> > > > > > additional
> > > > > > information.
> > > > > > Sincerely,
> > > > > > John Matijevic, CCIE #13254
> > > > > > Senior Network Engineer
> > > > > > U.S. Installation Group
> > > > > > 954-969-7160 extension 1147 office
> > > > > > 305-321-6232 cell
> > > > > > Client config:
> > > > > >
> > > > > > name 192.168.101.0 <http://192.168.101.0/> <http://192.168.101.0>
> > > > <http://192.168.101.0 > <
> > > > > http://192.168.101.0> Server
> > > > > > access-list inside_outbound_nat0_acl permit ip
> > > > > > 192.168.21.0 <http://192.168.21.0/>< http://192.168.21.0>
<http://192.168.21.0
> > > > ><
> > > > > http://192.168.21.0>
> > > > > > 255.255.255.0 <http://255.255.255.0/> <http://255.255.255.0>
<http://255.255.255.0>
> > > > <
> > > > > http://255.255.255.0> Server
> > > > > > 255.255.255.0 <http://255.255.255.0/> <http://255.255.255.0>
<http://255.255.255.0
> > > > ><
> > > > > http://255.255.255.0 >
> > > > > >
> > > > > > access-list outside_cryptomap_20 permit ip
> > > > > 192.168.21.0 <http://192.168.21.0/> <
http://192.168.21.0><http://192.168.21.0
> > > > >
> > > > > > < http://192.168.21.0>
> > > > > > 255.255.255.0 <http://255.255.255.0/> < http://255.255.255.0 > <
> > > > http://255.255.255.0> <
> > > > > http://255.255.255.0> Server
> > > > > > 255.255.255.0 <http://255.255.255.0/> < http://255.255.255.0> <
> > > > http://255.255.255.0><
> > > > > http://255.255.255.0>
> > > > > >
> > > > > > access-list inside_access_in remark VPN access to Server
> > > > > > access-list inside_access_in permit ip
192.168.21.0<http://192.168.21.0/>
> > > > <http://192.168.21.0>
> > > > > < http://192.168.21.0 ><
> > > > > > http://192.168.21.0>
> > > > > > 255.255.255.0 <http://255.255.255.0/> <http://255.255.255.0>
<http://255.255.255.0>
> > > > <
> > > > > http://255.255.255.0> Server
> > > > > > 255.255.255.0 <http://255.255.255.0/> <http://255.255.255.0 >
<http://255.255.255.0
> > > > ><
> > > > > http://255.255.255.0>
> > > > > > access-list inside_access_in remark Block all Access
> > > > > > access-list inside_access_in deny ip
192.168.21.0<http://192.168.21.0/><http://192.168.21.0
> > > > ><
> > > > > http://192.168.21.0> <
> > > > > > http://192.168.21.0>
> > > > > > 255.255.255.0 <http://255.255.255.0/> < http://255.255.255.0> <
> > > > http://255.255.255.0> <
> > > > > http://255.255.255.0> any
> > > > > >
> > > > > > global (outside) 1 interface
> > > > > > nat (inside) 0 access-list inside_outbound_nat0_acl
> > > > > > nat (inside) 1 0.0.0.0 <http://0.0.0.0/> <http://0.0.0.0>
<http://0.0.0.0>
> > > > <http://0.0.0.0
> > > > > >
> > > > > 0.0.0.0 <http://0.0.0.0/> <http://0.0.0.0>< http://0.0.0.0><
> > > > > > http://0.0.0.0> 0 0
> > > > > > access-group inside_access_in in interface inside
> > > > > > route outside 0.0.0.0 <http://0.0.0.0/> < http://0.0.0.0> <
> > > > http://0.0.0.0> < http://0.0.0.0>
> > > > > 0.0.0.0 <http://0.0.0.0/> < http://0.0.0.0><http://0.0.0.0><
> > > > > > http://0.0.0.0>
> > > > > > 68.213.219.250 <http://68.213.219.250/> < http://68.213.219.250>
> > > > <http://68.213.219.250> <
> > > > > http://68.213.219.250> 1
> > > > > >
> > > > > > sysopt connection permit-ipsec
> > > > > > sysopt connection permit-pptp
> > > > > >
> > > > > > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> > > > > >
> > > > > > crypto map outside_map 20 ipsec-isakmp
> > > > > > crypto map outside_map 20 match address outside_cryptomap_20
> > > > > > crypto map outside_map 20 set peer 65.240.142.186
> > > > <http://65.240.142.186/><http://65.240.142.186>
> > > > > < http://65.240.142.186><
> > > > > > http://65.240.142.186>
> > > > > > crypto map outside_map 20 set transform-set ESP-3DES-MD5
> > > > > >
> > > > > > crypto map outside_map interface outside
> > > > > > isakmp enable outside
> > > > > > isakmp key ******** address
65.240.142.186<http://65.240.142.186/><
> > > > http://65.240.142.186> <
> > > > > http://65.240.142.186> <
> > > > > > http://65.240.142.186 > netmask
> > > > > > 255.255.255.255 <http://255.255.255.255/> <
> > > > http://255.255.255.255> < http://255.255.255.255> <
> > > > > http://255.255.255.255>
> > > > > no-xauth
> > > > > > no-c
> > > > > > onfig-mode
> > > > > >
> > > > > > isakmp policy 20 authentication pre-share
> > > > > > isakmp policy 20 encryption 3des
> > > > > > isakmp policy 20 hash md5
> > > > > > isakmp policy 20 group 2
> > > > > > isakmp policy 20 lifetime 86400
> > > > > >
> > > > > > Server Config:
> > > > > >
> > > > > > name 192.168.26.0 <http://192.168.26.0/> < http://192.168.26.0>
> > > > <http://192.168.26.0> <
> > > > > http://192.168.26.0> Client
> > > > > > name 68.213.219.250 <http://68.213.219.250/>
<http://68.213.219.250>
> > > > <http://68.213.219.250> <
> > > > > http://68.213.219.250>
> > > > > > Client_Public
> > > > > >
> > > > > > object-group network RemoteLocationsVPN
> > > > > > description These are the remote locations that VPN in to this
> > > > network.
> > > > > > network-object Client 255.255.255.0 <http://255.255.255.0/>
<http://255.255.255.0>
> > > > <
> > > > > http://255.255.255.0> <
> > > > > > http://255.255.255.0>
> > > > > >
> > > > > > access-list 10 permit ip 192.168.101.0 <http://192.168.101.0/>
<http://192.168.101.0>
> > > > <
> > > > > http://192.168.101.0> <
> > > > > > http://192.168.101.0>
> > > > > > 255.255.255.0 <http://255.255.255.0/> < http://255.255.255.0 > <
> > > > http://255.255.255.0><
> > > > > http://255.255.255.0>Client
> > > > > > 255.255.255.0 <http://255.255.255.0/> < http://255.255.255.0> <
> > > > http://255.255.255.0> <
> > > > > http://255.255.255.0>
> > > > > >
> > > > > > access-list 20 permit tcp host Client_Public host
> > > > > > 65.240.142.187 <http://65.240.142.187/> <http://65.240.142.187>
> > > > < http://65.240.142.187><
> > > > > http://65.240.142.187>eq www
> > > > > >
> > > > > > access-list 106 permit ip 192.168.101.0
<http://192.168.101.0/><http://192.168.101.0>
> > > > <
> > > > > http://192.168.101.0> <
> > > > > > http://192.168.101.0>
> > > > > > 255.255.255.0 <http://255.255.255.0/> < http://255.255.255.0 > <
> > > > http://255.255.255.0><
> > > > > http://255.255.255.0>Client
> > > > > > 255.255.255.0 <http://255.255.255.0/> < http://255.255.255.0> <
> > > > http://255.255.255.0> <
> > > > > http://255.255.255.0>
> > > > > >
> > > > > > ip address outside 65.240.142.186 <http://65.240.142.186/>
<http://65.240.142.186>
> > > > <
> > > > > http://65.240.142.186> <
> > > > > > http://65.240.142.186 >
> > > > > > 255.255.255.248 <http://255.255.255.248/> <http://255.255.255.248>
> > > > <http://255.255.255.248><
> > > > > http://255.255.255.248>
> > > > > > ip address inside 192.168.101.1 <http://192.168.101.1/>
<http://192.168.101.1>
> > > > <
> > > > > http://192.168.101.1> <
> > > > > > http://192.168.101.1>
> > > > > > 255.255.255.0 <http://255.255.255.0/> < http://255.255.255.0> <
> > > > http://255.255.255.0><
> > > > > http://255.255.255.0>
> > > > > >
> > > > > > global (outside) 1 interface
> > > > > > global (outside) 4 65.240.142.189 <http://65.240.142.189/><
> > > > http://65.240.142.189> <
> > > > > http://65.240.142.189> <
> > > > > > http://65.240.142.189>
> > > > > >
> > > > > > nat (inside) 0 access-list 10
> > > > > > nat (inside) 1 192.168.101.0 <http://192.168.101.0/>
<http://192.168.101.0>
> > > > <
> > > > > http://192.168.101.0>
> > > > > < http://192.168.101.0>
> > > > > > 255.255.255.0 <http://255.255.255.0/>< http://255.255.255.0> <
> > > > http://255.255.255.0><
> > > > > http://255.255.255.0>400 200
> > > > > >
> > > > > > access-group 20 in interface outside
> > > > > > access-group inside_access_in in interface inside
> > > > > > route outside 0.0.0.0 <http://0.0.0.0/> <http://0.0.0.0 >
<http://0.0.0.0>
> > > > <http://0.0.0.0>
> > > > > 0.0.0.0 <http://0.0.0.0/> <http://0.0.0.0>< http://0.0.0.0><
> > > > > > http://0.0.0.0>
> > > > > > 65.240.142.185 <http://65.240.142.185/> <http://65.240.142.185>
> > > > < http://65.240.142.185> <
> > > > > http://65.240.142.185> 1
> > > > > >
> > > > > > sysopt connection permit-ipsec
> > > > > > sysopt connection permit-pptp
> > > > > >
> > > > > > crypto map corpvpn 106 ipsec-isakmp
> > > > > > crypto map corpvpn 106 match address 106
> > > > > > crypto map corpvpn 106 set peer Client_Public
> > > > > > crypto map corpvpn 106 set transform-set usinstall
> > > > > >
> > > > > > crypto map corpvpn interface outside
> > > > > > isakmp enable outside
> > > > > >
> > > > > > isakmp key ******** address Client_Public netmask
> > > > > > 255.255.255.255 <http://255.255.255.255/> <http://255.255.255.255>
> > > > <http://255.255.255.255><
> > > > > http://255.255.255.255 >
> > > > > >
> > > > > >
> > > > > > isakmp identity address
> > > > > > isakmp policy 10 authentication pre-share
> > > > > > isakmp policy 10 encryption 3des
> > > > > > isakmp policy 10 hash md5
> > > > > > isakmp policy 10 group 2
> > > > > > isakmp policy 10 lifetime 86400
> > > > > >
> > > > > > ---------- Forwarded message ----------
> > > > > > From: john matijevic < john.matijevic@gmail.com>
> > > > > > Date: Apr 12, 2005 5:11 PM
> > > > > > Subject: dsl and pix
> > > > > > To: ccielab@groupstudy.com
> > > > > >
> > > > > > Hello Team,
> > > > > > I was wondering if anyone has come across using a dsl for
> > > > internet in
> > > > > > corporate environment and have used the pix firewall for
> > > > establishing a
> > > > > > vpn
> > > > > > network over the dsl network. Please contact me offline to
> > > > discuss.
> > > > > > Sincerely,
> > > > > > John Matijevic
> > > > > > 305-321-6232
> > > > > >
> > > > > >
> > > >

• Next message: john matijevic: "Re: dsl and pix"
• Previous message: Lee Donald: "RE: RPF failure"
• Maybe in reply to: john matijevic: "dsl and pix"
• Next in thread: john matijevic: "Re: dsl and pix"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:58 GMT-3